[strongSwan] mobileconfig configuration
Alex Sharaz
alex.sharaz at york.ac.uk
Fri Aug 25 15:09:23 CEST 2017
Hi,
quick question about incorporating te CA chain in a .mobileconfig file
I've used the apple configurator to create a .mobileconfig file for use
against our SSwan 5.5.3 VPN service.
Initially we used a locally generated server cert from our internal CA so
I included the intermediate and root CAs in the .mobileconfig payload.
We've since moved to a public CA cert and again, I've got a mobile config
file that "just works" which has the public root and intermediate certs in
the .mobileconfig file.
I've been asked to remove the root CA from the config file working on the
basis that as its a generally available cert it should be on the client
machine anyway and therefor we don't need to install it.
The problem is that if I remove either the root or rot + intermedate CAs
the VPN fails to connect.
I'm using x509 cert to identify the server to the client and eap-peap via
the eap-radius module to authenticate the user.
For the case without the CAS inserted I see :-
Aug 25 13:17:42 07[NET] <1> received packet: from
2001:630:61:2000:6838:887b:6bfc:70[500] to 2001:630:61:180::1:c7[500] (432
bytes)
Aug 25 13:17:42 07[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 25 13:17:42 07[IKE] <1> 2001:630:61:2000:6838:887b:6bfc:70 is
initiating an IKE_SA
Aug 25 13:17:42 07[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 25 13:17:42 07[NET] <1> sending packet: from 2001:630:61:180::1:c7[500]
to 2001:630:61:2000:6838:887b:6bfc:70[500] (448 bytes)
Aug 25 13:17:47 15[NET] <2> received packet: from
2001:630:61:2000:6838:887b:6bfc:70[500] to 2001:630:61:180::1:c7[500] (432
bytes)
Aug 25 13:17:47 15[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 25 13:17:47 15[IKE] <2> 2001:630:61:2000:6838:887b:6bfc:70 is
initiating an IKE_SA
Aug 25 13:17:47 15[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 25 13:17:47 15[NET] <2> sending packet: from 2001:630:61:180::1:c7[500]
to 2001:630:61:2000:6838:887b:6bfc:70[500] (448 bytes)
Aug 25 13:17:47 06[NET] <2> received packet: from
2001:630:61:2000:6838:887b:6bfc:70[4500] to 2001:630:61:180::1:c7[4500]
(380 bytes)
Aug 25 13:17:47 06[ENC] <2> unknown attribute type (25)
Aug 25 13:17:47 06[ENC] <2> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
N(MOBIKE_SUP) IDr CPRQ(ADDR SUBNET DHCP DNS MASK ADDR6 SUBNET6 DHCP6 DNS6
(25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Aug 25 13:17:47 06[CFG] <2> looking for peer configs matching
2001:630:61:180::1:c7[vpn.york.ac.uk]...2001:630:61:2000:6838:887b:6bfc:70[UoY
VPN User]
Aug 25 13:17:47 06[CFG] <it-services-ikev2|2> selected peer config
'it-services-ikev2'
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> initiating EAP_IDENTITY
method (id 0x00)
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> peer supports MOBIKE
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> authentication of '
vpn.york.ac.uk' (myself) with RSA signature successful
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> sending end entity cert
"C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=
vpn.york.ac.uk"
Aug 25 13:17:47 06[IKE] <it-services-ikev2|2> sending issuer cert "C=BM,
O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> splitting IKE message with
length of 4044 bytes into 4 fragments
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ EF(1/4) ]
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ EF(2/4) ]
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ EF(3/4) ]
Aug 25 13:17:47 06[ENC] <it-services-ikev2|2> generating IKE_AUTH response
1 [ EF(4/4) ]
Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500]
(1216 bytes)
Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500]
(1216 bytes)
Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500]
(1216 bytes)
Aug 25 13:17:47 06[NET] <it-services-ikev2|2> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:6838:887b:6bfc:70[4500]
(592 bytes)
Aug 25 13:18:12 05[JOB] <1> deleting half open IKE_SA with
2001:630:61:2000:6838:887b:6bfc:70 after timeout
Aug 25 13:18:17 06[JOB] <it-services-ikev2|2> deleting half open IKE_SA
with 2001:630:61:2000:6838:887b:6bfc:70 after timeout
With the CAs installed I get
Aug 25 13:12:10 07[NET] <1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[500] to 2001:630:61:180::1:c7[500]
(432 b
ytes)
Aug 25 13:12:10 07[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 25 13:12:10 07[IKE] <1> 2001:630:61:2000:31f3:614f:10ed:bf93 is
initiating an IKE_SA
Aug 25 13:12:10 07[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 25 13:12:10 07[NET] <1> sending packet: from 2001:630:61:180::1:c7[500]
to 2001:630:61:2000:31f3:614f:10ed:bf93[500] (448 bytes)
Aug 25 13:12:10 08[NET] <1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500]
(412 bytes)
Aug 25 13:12:10 08[ENC] <1> unknown attribute type (25)
Aug 25 13:12:10 08[ENC] <1> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
N(MOBIKE_SUP) IDr CERTREQ CPRQ(ADDR SUBNET DHCP DNS MASK ADDR6 SUBNET6
DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Aug 25 13:12:10 08[IKE] <1> received cert request for "C=BM, O=QuoVadis
Limited, CN=QuoVadis Root CA 2 G3"
Aug 25 13:12:10 08[CFG] <1> looking for peer configs matching
2001:630:61:180::1:c7[vpn.york.ac.uk]...2001:630:61:2000:31f3:614f:10ed:bf93[UoY
VPN User]
Aug 25 13:12:11 08[CFG] <it-services-ikev2|1> selected peer config
'it-services-ikev2'
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> initiating EAP_IDENTITY
method (id 0x00)
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> peer supports MOBIKE
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> authentication of '
vpn.york.ac.uk' (myself) with RSA signature successful
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> sending end entity cert
"C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=
vpn.york.ac.uk"
Aug 25 13:12:11 08[IKE] <it-services-ikev2|1> sending issuer cert "C=BM,
O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> splitting IKE message with
length of 4044 bytes into 4 fragments
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ EF(1/4) ]
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ EF(2/4) ]
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ EF(3/4) ]
Aug 25 13:12:11 08[ENC] <it-services-ikev2|1> generating IKE_AUTH response
1 [ EF(4/4) ]
Aug 25 13:12:11 08[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(1216 bytes)
Aug 25 13:12:11 08[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(1216 bytes)
Aug 25 13:12:11 08[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(1216 bytes)
Aug 25 13:12:11 08[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(592 bytes)
Aug 25 13:12:11 10[NET] <it-services-ikev2|1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500]
(92 bytes)
Aug 25 13:12:11 10[ENC] <it-services-ikev2|1> parsed IKE_AUTH request 2 [
EAP/RES/ID ]
Aug 25 13:12:11 10[IKE] <it-services-ikev2|1> received EAP identity '
as1558 at york.ac.uk'
Aug 25 13:12:11 10[CFG] <it-services-ikev2|1> sending RADIUS Access-Request
to server 'primary'
Aug 25 13:12:11 10[CFG] <it-services-ikev2|1> received RADIUS
Access-Challenge from server 'primary'
Aug 25 13:12:11 10[IKE] <it-services-ikev2|1> initiating EAP_PEAP method
(id 0x01)
Aug 25 13:12:11 10[ENC] <it-services-ikev2|1> generating IKE_AUTH response
2 [ EAP/REQ/PEAP ]
Aug 25 13:12:11 10[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(76 bytes)
Aug 25 13:12:11 09[NET] <it-services-ikev2|1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500]
(76 bytes)
Aug 25 13:12:11 09[ENC] <it-services-ikev2|1> parsed IKE_AUTH request 3 [
EAP/RES/NAK ]
Aug 25 13:12:11 09[CFG] <it-services-ikev2|1> sending RADIUS Access-Request
to server 'primary'
Aug 25 13:12:11 09[CFG] <it-services-ikev2|1> received RADIUS
Access-Challenge from server 'primary'
Aug 25 13:12:11 09[ENC] <it-services-ikev2|1> generating IKE_AUTH response
3 [ EAP/REQ/MSCHAPV2 ]
Aug 25 13:12:11 09[NET] <it-services-ikev2|1> sending packet: from
2001:630:61:180::1:c7[4500] to 2001:630:61:2000:31f3:614f:10ed:bf93[4500]
(108 bytes)
Aug 25 13:12:11 11[NET] <it-services-ikev2|1> received packet: from
2001:630:61:2000:31f3:614f:10ed:bf93[4500] to 2001:630:61:180::1:c7[4500]
(156 bytes)
Aug 25 13:12:11 11[ENC] <it-services-ikev2|1> parsed IKE_AUTH request 4 [
EAP/RES/MSCHAPV2 ]
....
and I've a successful VPN connection.
Configwise on the server I've got
conn it-services-ikev2
left=%any
leftauth=pubkey
leftcert=vpn.york.ac.uk.pem
leftid=@vpn.york.ac.uk
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
leftfirewall=yes
right=%any
rightauth=eap-radius
rightsendcert=never
rightgroups="Cserv"
eap_identity=%any
keyexchange=ikev2
rightsourceip=%itservices
fragmentation=yes
auto=add
Rgds
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170825/38c84628/attachment-0001.html>
More information about the Users
mailing list